12 June 2012, 6:57

Hello everybody!

I have a question concerning the security of Mahara. Within a project we have to find out if Mahara can be used in continuing education counseling. The people would write many private information in Mahara and the question is: how secure is Mahara respectively how can I prevent the data being hacked? 

(If I produce a secret url it is a http- and not a https-protocol. Is this a problem of the configuration of the server or of Mahara?)

Would be very nice if anybody can help. The Forum for security only contains official announcements, so I postet it here.

Kind regards

Katharina Heyligers

12 June 2012, 15:23

Hello Katharina,

A secret URL (like the ones you get from Google to a document that you share with others) is as secure as you keep it. If you send it to only one person and that person then doesn't post it to a web site, the URL is safe. There it doesn't matter whether it is http or https. As soon as you include a secret URL as link on a public web site, search engines can find the page.

If you have really sensitive data then I suggest you create accounts for the people who shall look at the portfolio pages so they have to log in to view the portfolio. Then the portfolio writer doesn't have to use the secret URL but can share the page directly with a user and a login is necessary at all times. Of course, if the portfolio author then also shares the page with others or makes it public more people will have access to it.

The secret URL is pretty much a way of giving people who do not have a login access to a portfolio without making it available to the entire world. But you can easily prevent that by making them a login. That's what the permissions framework of Mahara is for to be able to decide very finely who shall have access to what page or collection at any time.

Cheers

Kristina